Course 2 - 205 - Protection of Critical Data & Privacy Flashcards
Why is there such a critical need to protect our data? How has that need evolved? What can we expect moving forward?
Companies are currently spending millions to secure critical information, yet incidents of network intrusions that result in compromised data continue to rise. Business threats associated with inadequate security policies and practices are more significant than ever. The reality of these potential threats—whether as the result of accidental and situational exposures or deliberate attacks—can directly result in the interruption of business services and have a substantial impact on company profitability. These attacks may also result in data breaches that can expose private and confidential information, leading to devastating outcomes for customers, our employees, and our business. Building awareness and managing potential risks therefore becomes essential to the resilience of the organization.
When it comes to information systems, we must not only become proficient at using this data to serve the needs of our company and our customers, we must also become superior custodians of that information as well.
Every source of critical data must be secured and defended to maintain the trust, confidence, and conviction necessary to operate a successful organization.
What is the ultimate goal of Data Security?
The ultimate goal is still to protect the security, confidentiality, integrity, quality, and availability of a company’s information assets.
What are the two most critical components of a strong security policy?
1) Corporate management supports the policy; and
2) The policy aligns information security with the core objectives of the business.
What are some common subject areas typically found in an information security policy?
Employee/Management Roles and Responsibilities
Guidelines for Acceptable and Unacceptable Use of Company Resources (i.e. Internet and Email)
Acceptable Use of Company Software and Hardware
Non-Compliance Issues
Incident Management
Remote Access and Mobile Computing
Information Classification Guidelines
User ID and Password Standards and Management
Physical Security
Data Archiving (how often each user should copy information to an archive file) and Backup Requirements
A framework and foundation for governance
What are the key principles of a sound data security plan?
First, take stock in what you have—know what information you have access to in your files and on your computer. Second, limit access to only the information you need. Limit exposures by managing accessibility (for example, store sensitive information on a company server or other secure location rather than your laptop), and properly secure or dispose of what you no longer need. Next, keep information in your care locked down and protected by controlling access to the “front door” by monitoring and restricting access to your equipment.
Finally, plan ahead. Have a plan to respond to security incidents if they occur. Knowing how to react and respond will help to limit exposures and minimize potential risks and damage.
What are some additional security tips that we should follow on a daily basis?
Keep operating systems updated as necessary and appropriate. The most recent version of any operating system is generally the safest. Protect systems by downloading the latest security updates to limit vulnerabilities.
Backup important data on a regular basis, and store it in a separate location to minimize risks of data loss. Any data that hasn’t been backed up is at risk. Audit data storage by periodically conducting trial restores to ensure the data is actually being backed up.
Install firewalls on computer systems. A firewall is a combination of software and/or hardware that provides a protective barrier between a computer or computer network and the public Internet. Essentially firewalls protect your online gateway and block unauthorized access to your computer or computer network.
Use anti-virus software on computers. A computer virus is a program designed to copy itself into other programs stored in a computer, infecting and potentially damaging the files that receive it. Some viruses are mild, while others are very destructive and can wipe out a computer’s memory or even cause more severe damage. Anti-virus software continuously scans your computer looking for viruses, and also checks incoming email and websites for potential threats. Updates must be performed regularly to stay current and effective.
Use spyware protection on computers. Spyware is computer software that is covertly used to gather personal information and monitor user activity and surfing habits, but can also have other potentially harmful consequences such as installing additional software, redirecting Web browser activity, accessing websites blindly, changing computer settings, slowing connection speeds, and otherwise damaging or interfering with user control. Spyware protection must also be updated regularly to remain effective.
Protect passwords! Weak password protocols are a common security flaw that can increase risks. Change passwords frequently and use a “strong” password that is difficult to guess or decipher. Use a combination of letters, numbers, and other characters. Do not share passwords with others, and resist saving passwords when prompted.
Do not open attachments in emails from people or sources you do not know. Filter out unwanted spam email using spam filter programs when possible. Don’t click on anything in a spam email, even to unsubscribe. If possible don’t even open it.
Take precautions when sending sensitive or proprietary information via email. Password protect documents when necessary.
Only allow staff access to the information needed to do their job. For example, as employees move within an organization, access privileges can follow and quickly mount. Ensuring employees only have access to information appropriate for their current position can be an essential step in avoiding manipulation and/or loss of data.
Do not use shared devices (for example, hotel computers) to access information that should be protected.
When possible, encrypt any personal information held electronically if it might cause damage or threat if lost or stolen. Encryption is the changing of data into code, a procedure that renders the content of a message or file unreadable to anyone not authorized to read it.
Audit data storage for security policy enforcement, access control, and proper destruction of appropriate content on a regular basis. Delete information that is no longer necessary, and disable unneeded functionality. Do not dispose of old computers until all pertinent information has been securely removed (by authorized technology or destroying the hard disk). Ensure that computers and other equipment are appropriately cleansed (of information, software, etc…) before it is allocated to another employee.
Always lock your computer when you are away from it. Log off and shut down your computer prior to leaving for the day.
Develop and implement appropriate security protocols regarding the use of removable storage devices (such as external hard drives, flash drives, etc.). Such devices can hold significant amounts of information, and should be carefully monitored and tightly controlled.
Know how to notify appropriate parties immediately in the event digital devices or assets (phones, laptops, confidential documents, etc.) are lost or stolen. Understand the appropriate policies and practices, and maintain access to an emergency contact number.
Recognize information security is not just about protecting the technology—it’s also about protecting physical assets, communications, access controls, and every aspect of our information networks. This would include the physical security of company premises, proper disposal of confidential paper waste, etc. It is also about ensuring that your staff is adequately trained and responsibilities clearly communicated.
What are some important questions that we should consider when constructing our data security systems?
What data is used and stored on the system?
Who uses or otherwise has access to the system?
How do users access the system?
What functions does the system provide, and what is the relative importance of those functions?
Are there other networks, programs or users that share the system? What is the potential connectivity to other networks and/or users?
Where is the system physically located?
How are data backups made, how frequently, and where are they stored? Who has access to them?
Are there any regulatory or statutory requirements that we have to consider?
What is Access Control?
Access control is the ability to monitor and regulate who has access to sensitive areas and/or information. Designed to restrict privileges based on an individual’s identity, access control is commonly applied to the retail world in terms of physical security, computer security, and network security systems.
What are the primary components of an access control system?
The primary component of any access control system is the development of criteria by which access levels to both areas and individuals are assigned. Role and policy-based controls enable the building of complex rules that govern various levels of accessibility to areas and/or information, ensuring security controls while providing adequate access and productivity to meet the various needs of the business. Simply stated, we want to design a system that is secure, but allows that the appropriate individuals have access to the areas they need to perform their jobs; and in a way that is not a hindrance to day-to-day activities.
In terms of computer security, what are the three essential services of access control?
i) Identification & Authentication
ii) Authorization
iii) Accountability
What is authentication? Name some examples of common authenticators…
This determines who can log on to a system. It is the process of verifying a user’s identity for the purposes of using the system, during which time an “authenticator” is established. Authenticators are typically based on at least one (but sometimes more than one) of the following factors:
Something you know, such as a password or personal identification number (PIN). This assumes only the owner of the account knows the password or PIN necessary to access the account.
Something you have, such as an access card or token. Once again, this assumes only the owner of the account has access to the card or token.
Something you are, which might involve fingerprint identification, voice recognition, retina scans, or other devices.
Where you are, for example whether inside or outside the company firewall.
What is authorization?
This determines what you can do once you are in the system. Most operating systems define permissions that are variations or extensions of three primary types of access:
Read information found in the file contents.
Write or modify the contents of a file by adding, creating, deleting, or renaming files or information.
Execute the file if it is a program (cause the program to be run).
What is a Data Center?
A Data Center is a centralized facility used for the acquisition, storage, processing, analysis, management, and dissemination of data pertaining to a particular business. Data Centers generally house computer systems and associated components such as telecommunications and storage systems. The primary purpose of the Data Center is to run the applications that handle the core business and operational data of the organization.
What are some of the steps that are typically taken to manage the physical environment of the Data Center?
The physical environment of a Data Center is rigorously controlled. Facilities typically include air conditioning systems, fire prevention and suppression equipment and systems, uninterruptible power supplies, backup generators, and other equipment intended to protect and maintain a controlled environment.
Why is it important to have such strict controls over our Data Centers?
While there may be an obvious need for protection against intruders and the intentional harm that they might cause, potential hazards from those working in and around our facilities can pose a similar (and perhaps greater) risk to our business operations and information security. Even the simple mistakes of well-intentioned staff members can pose a significant threat to operations. As a result, every retail company must carefully evaluate their specific security needs and determine the most appropriate and cost-effective measures to restrict access and protect their facilities.
The design of the security system for our data centers should include what basic considerations?
Cost of equipment - Budget considerations often limit extensive use of high-confidence identification methods and equipment. The typical approach is to utilize a variety of techniques that are appropriate to the various needs, functionality, and security levels.
Combining technologies - The reliability of our identification methods at any level can be heightened by combining lower cost technologies with the innermost (highest security) levels enjoying the combined protection of all the outer perimeters that contain it.
User acceptance - Ease of use and reliability of identification are important for preventing the system from becoming a source of frustration and a temptation for subversion.
Scalability – Can the design of our system be easily modified to achieve increased functional demands when necessity, funding and confidence in the technology increase?
What is Defense in Depth?
Defense in Depth is the coordinated use and strategic layering of multiple security countermeasures in our protection plans. A strategy commonly used as part of both physical and cyber-security plans, the idea is based on the principle that it is more difficult for unauthorized individuals to defeat a complex and multi-layered defense than to penetrate a single barrier. While each of these layers on their own might serve as a capable deterrent to unauthorized access, the mitigation of highly technical and complex threats requires the use of a combination of methods as part of a well-designed strategy amplifies our security efforts, creating a much stronger, more formidable system.
What are some of the tools commonly used to help protect our Data Centers?
i) Access Tools
Are commonly used to control entrance and exit into sensitive security areas.
Cards and Tokens are frequently used to manage access control. This type of technology will vary in sophistication based on the ability of the device to be reprogrammed, resistance to counterfeiting, convenience and physical format, reader costs, and a variety of other factors. Regardless of how reliable these devices may be, the security provided remains limited, as there is no guarantee the correct individual is using them. Often this method is combined with other security measures (Passwords, for example).
Keypads and Coded Locks are widely used as a method of access control. They are very reliable and user-friendly, however security can be limited by the sharable and guessable nature of passwords. “Keypad” generally implies that the system has the ability to accept multiple codes, while “Coded Lock” generally refers to a device having only one code that everyone uses. The security level of these devices can be increased by periodically changing codes, which requires a system for informing users and disseminating new codes.
Biometric Security Technologies. Biometrics are a means for uniquely recognizing people based upon one or more intrinsic physical or behavioral traits. Physical biometrics include fingerprint identification, face recognition, iris recognition, and hand geometry. Behavioral-based biometrics might include signatures and handwriting analysis, and voice recognition, for example. Biometric technology is rapidly developing, becoming more reliable, and less expensive. More affordable options (especially fingerprint recognition) are entering the mainstream of security solutions. Biometric identification is typically not used to recognize identity by searching a database for a match, but rather to corroborate an identity first established by a different method of identification (For example, in concert with a pass code). As costs and performance improve, it may become more common as a stand-alone security device.
ii) Camera Systems
Camera Systems are still widely used as part of our physical access control systems. CCTV systems—both covert and overt—can provide interior and exterior monitoring, serve as an effective deterrent, and provide opportunity for post-incident review. Several types of systems are available depending on purpose and budgets, and can be operated on-site or from remote locations across the Internet.
iii) Security Guards
Security Guards provide the surveillance capability based on the utilization of human senses as well as the ability to respond with mobility and intelligence to suspicious, unusual, or other critical events. Despite the many technological advances in the field of physical security, experts agree that a quality staff of protection professionals remains a premium method for supporting access control efforts.
iv) Sensors & Alarms
Sensors and Alarms, whether motion sensors, contact alarms, heat sensors, laser beam barriers or other forms of sensors and alarms. Some may utilize silent alarm mechanisms, while others use audible alarm devices.
v) Visitor Control
Visitor Control is an important consideration in any security system design. This may consist of a registration/sign-in process and issuance of temporary badges or cards for low security areas, or may require more strict access requirements and designated escorts for high security areas.
Why should an active document retention and destruction policy be considered a priority for any business?
With the changing complexities of document management (which must address both hardcopy materials and electronic data), what organizations keep and what they destroy must be a well thought out process that is appropriately managed. The primary focus of managing this information is based on the need to secure financial and other confidential information against theft or unintended/unauthorized release. And while this is surely a critical component of document management, companies must also consider that the more routine, day-to-day documents created by employees at all levels can also prove to be just as critical to the success or failure of the business.
What are some important tips for developing and maintaining a Document Retention and Destruction program?
A good starting point is to define what constitutes a “business record” and a means to categorize specific records. Records are created for a variety of reasons, but whatever the reason, whenever a record is created there is a useful life of that record. Having a definition and a means of categorizing documents will make operational record keeping decisions easier and more efficient.
The company’s technology (IT) department should be involved in decisions regarding the policy and methods for enforcement when those policies involve electronic or other related venues and documents.
There should be a clear schedule identifying the minimum and maximum retention periods for all documents covered within the program.
Numerous statutes, regulations, and regulatory instruments impose record keeping requirements on retail organizations and other business entities, generally applicable to specific categories of records. Such requirements may involve what, where, how, and for how long these records must be maintained. All pertinent practices and requirements should be maintained and reviewed on a regular and consistent basis to ensure compliance.
There should be a framework for administration of the program to include training and education, assigning monitoring responsibilities, capability assessments, and a schedule for updating the program so that it reflects current legal requirements and business needs.
Appropriate security and privacy controls must be established to ensure the protection of sensitive/confidential documents. Every company is bound by contract, law, or practice to treat certain information as confidential, and every effort should be made to maintain that trust at all times. This would include security of the storage medium as well as the establishment of stringent procedures and protections when such documents are destroyed. Protection and control should be of paramount concern up to and including document destruction.
The program should be documented, published, and appropriately communicated to enhance understanding, limit confusion, and increase efficiencies.
Clear accountability should be established for enforcement of the program. Involved employees should be properly educated as to the importance of the policies and held accountable for following established guidelines. Routine (scheduled and unscheduled) audits should be conducted to ensure compliance.
There may be instances when the suspension of records destruction is necessary due to incidents such as imminent or current litigation, receipt of subpoenas, government inquiries, audits, or other types of related events that might warrant such action. When such records may be needed beyond the defined retention period, a methodology should be in place which immediately notifies all appropriate personnel of these actions, to include legal counsel, records managers, department managers, IT managers, and operations and loss prevention executives when necessary and appropriate.
What is Caesar’s Cipher?
To communicate with his generals, Caesar used what is now known as Caesar’s cipher, a very simple encryption technique. This was a substitution cipher in which each letter of the text is replaced by a letter a certain fixed number of positions down the alphabet (for example, with a shift of 3, “a” would be replaced with “d”, “b” would be replaced with “e”, and so on). This method was believed to be very effective at the time, especially considering many of Caesar’s enemies would have been illiterate, and others would have assumed that the messages were written in an unknown foreign language.
What are some of the primary business objectives that our information security programs should strive to accomplish?
Information Availability - Our systems should address the processes, policies, and controls used to ensure authorized users have prompt access to information. This serves to protect against intentional or accidental attempts to deny appropriate user access to information or systems that are necessary for the legitimate operations of the business.
Integrity of Data Systems - This relates to the processes, policies, and controls used to ensure information has not been altered without legitimate authorization, and that systems are free from unauthorized manipulation that could compromise accuracy, completeness, and reliability.
Data & System Confidentiality - This involves the processes, policies, and controls employed to protect both company and customer information against unauthorized access or use.
Accountability - This entails the processes, policies, and controls necessary to trace actions back to their source. Accountability directly supports legitimate access while deterring unauthorized intrusion, providing for better security monitoring, assisting recovery efforts, and enhancing the legal admissibility of data records.
Confidence - This addresses the processes, policies, and controls used to ensure technical and operational security measures work as intended. As part of the system design, this would support availability, integrity, confidentiality, and accountability, and highlights the notion that secure systems provide intended functions while preventing undesired actions.
What can cause security measures to lag behind advancements in technology?
Technology has opened the doors to vast informational resources, and retailers are responding aggressively to maintain a competitive edge. But in our push to get ahead in the highly competitive world of business, information technologies must reap immediate benefits. As a result, the technology can be significantly ahead of the controls. Security measures can lag behind.
